[supernova87a]

I believe the practical solution for many people is to switch the 2FA to an authenticator on-your-phone code generator, which someone cannot hack easily.

Most important account / banks / etc services now offer this option.

The only thing is, though, make sure to keep backups of the codes you use to initialize the authenticator app, because for some services there is no recovery if you lose your phone or don't have backups.

[shishy]

Hi, which bank(s) offer this?

> switch the 2FA to an authenticator on-your-phone code generator, which someone cannot hack easily.

I remember looking a few months ago and they only offered SMS 2FA.

Thanks

[supernova87a]

Sorry, I should've been more specific/accurate. I meant brokerages, like Fidelity, Etrade, Schwab -- where you're likely to have more funds/$ than a regular consumer bank. They do offer it. Even Amazon offers it.

And you are right, I have not seen any of the banks I use convert to authenticator (BofA, Chase, etc).

I can only guess that they think it's too difficult for the average consumer to understand or implement. But the fact that they don't even offer as an option is unfortunate.

edit: actually I correct myself, seems like BofA may actually offer something like this: https://play.google.com/store/apps/details?id=com.bankofamer...

However, I can't tell/test because I don't use Android

[jfrunyon]

Unfortunately, Fidelity (at least for my account) only offers some non-standard "Symantec VIP" product. Does someone reading this know if there's a way to turn it into standard TOTP?

[supernova87a]

Yes, Symantec VIP is their TOTP solution they're chosen. Etrade also uses it.

I find it less friendly than the normal QR code, since you can't back it up or clone it (and it's proprietary, although that is not a huge concern for me). Basically the app is both the server and the code generator (?) because the website you log on to does not issue you a shared secret, the app creates it itself. Every device has its own unique code, so it can't be cloned.

Fidelity enforces that you can't have multiple devices floating around able to log in -- they don't let you enroll multiple devices if you opt in to it. (Although why exactly I don't know, because Etrade does). It is a pain because 1) I want multiple devices to have my codes as backup, 2) I want one of my family members to be able to log in -- although they say, you should make that person an authorized user who can use his/her own login + own VIP code.

It's a pain, and I'm still debating whether or not to activate it. The interesting part is they clearly have a fall back in-person way to turn this off / help you if you forget or get locked out. You have to even call them in person to turn this feature on.

[jfrunyon]

I was able to find this. Haven't attempted it yet but it appears that it is in fact standard TOTP, only the VIP app generates the seed and you have to provide the seed to (in this case) Fidelity. https://gist.github.com/jarbro/ca7c9d3eebba1396d53b4a7228575...

And yeah, my biggest problem with it is that I already have a solution for TOTP; I don't really want to also figure out some solution for their proprietary garbage.

[UncleMeat]

> which someone cannot hack easily

Everybody gets phished. Much easier than sim swaps.